Cephalus Ransomware

MITRE Techniques

• [T1078] Valid Accounts – Initial access was achieved via Remote Desktop Protocol using compromised accounts lacking multi‑factor authentication (“Both incidents involved the use of Remote Desktop Protocol (RDP) via compromised accounts sans multi-factor authentication”).
• [T1190] Exploit Public-Facing Application – RDP access to exposed services implies exploitation of a public‑facing service to gain access (“Both incidents involved the use of Remote Desktop Protocol (RDP) via compromised accounts”).
• [T1020] Automated Exfiltration – Use of MEGA cloud storage for likely data exfiltration (“We also saw attackers use the MEGA cloud storage platform, presumably for data exfiltration”).
• [T1218] Signed Binary Proxy Execution – DLL sideloading via a legitimate SentinelOne executable: SentinelBrowserNativeHost.exe launched from Downloads loaded SentinelAgentCore.dll which then loaded data.bin (“SentinelBrowserNativeHost.exe, a legitimate SentinelOne executable, was launched from the user’s Downloads folder, which then loaded SentinelAgentCore.dll. From this, data.bin was subsequently loaded”).
• [T1490] Inhibit System Recovery – Deletion of shadow copies using vssadmin to prevent recovery (“vssadmin delete shadows /all /quiet”).
• [T1089] Disabling Security Tools – Registry modifications and PowerShell commands to add Defender exclusions and disable real‑time protection and services (“Add‑MpPreference -ExclusionPath …”, “reg add … DisableRealtimeMonitoring”, “Stop-Service -Name “WinDefend” -Force”).
• [T1486] Data Encrypted for Impact – Ransomware encrypted files and left ransom notes claiming theft and providing contact/verification links (“the ransom note starts off with the words “We’re Cephalus” … claim to have stolen “confidential data””).